From 95e67327c2905bd30c2601192213084a313553db Mon Sep 17 00:00:00 2001 From: Jan Olderdissen Date: Tue, 21 Apr 2026 18:48:10 +0200 Subject: [PATCH 1/5] Allow Dockerfile changes. --- checks/check_patching_sla.py | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/checks/check_patching_sla.py b/checks/check_patching_sla.py index a45f94b..64115c7 100644 --- a/checks/check_patching_sla.py +++ b/checks/check_patching_sla.py @@ -1,11 +1,13 @@ import json import sys import os +import fnmatch import boto3 from botocore.exceptions import ClientError -# The list of allowed files in the patch. If any file outside this list is modified, the patch will be blocked. +# The list of allowed files/patterns in the patch. If any file outside this list is modified, the patch will be blocked. # The list includes any file that is necessary for dependency management or build configuration. +# Supports glob patterns (e.g., "*.lock"). ALLOWED_FILES = [ ".snyk", "CODEOWNERS", @@ -19,9 +21,29 @@ "Package.swift", "Package.resolved", "project.pbxproj", - "uv.lock" + "uv.lock", + "Dockerfile*" ] +def is_file_allowed(file_path, allowed_patterns): + """ + Check if a file basename matches any of the allowed patterns. + + Args: + file_path: The file path to check + allowed_patterns: List of allowed file patterns (supports glob patterns) + + Returns: + True if the file basename matches any allowed pattern, False otherwise + """ + filename = os.path.basename(file_path) + + for pattern in allowed_patterns: + if fnmatch.fnmatch(filename, pattern): + return True + + return False + def query_dynamodb_vulns(repo_name): """ Query DynamoDB for vulnerability information by repo_name. @@ -62,8 +84,7 @@ def check_patching_sla(): with open(changed_files_path) as f: changed_files = f.read().splitlines() for file in changed_files: - filename = os.path.basename(file) - if filename not in ALLOWED_FILES: + if not is_file_allowed(file, ALLOWED_FILES): print(f"Repository {repo_name} is in the blocked repos list. Please see PR comment for details.") with open(comment_file, 'w') as f: f.write(f"## ⚠️ Heads-up: This repository will be blocked from any work other than patching.\n") From ef602e187fdfb9d580561304f6994e051f39063f Mon Sep 17 00:00:00 2001 From: Jan Olderdissen Date: Tue, 21 Apr 2026 18:51:51 +0200 Subject: [PATCH 2/5] Remove target repo pull. --- .github/workflows/patching-sla-check.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/patching-sla-check.yml b/.github/workflows/patching-sla-check.yml index 4b1269e..67e5484 100644 --- a/.github/workflows/patching-sla-check.yml +++ b/.github/workflows/patching-sla-check.yml @@ -17,15 +17,11 @@ jobs: with: role-to-assume: arn:aws:iam::162856926107:role/gh-action-security-tools aws-region: us-east-1 - - name: Check out target repository - uses: actions/checkout@v6 - with: - fetch-depth: 0 - name: Check out workflow tooling repository uses: actions/checkout@v6 with: repository: devrev/global-gh-tools - ref: main + ref: jro/allow_dockerfile_changes path: .global-checks-tooling - name: Load python requirements. run: | From b67ed354e21838121f0e4750483438196a15228f Mon Sep 17 00:00:00 2001 From: Jan Olderdissen Date: Tue, 21 Apr 2026 18:59:37 +0200 Subject: [PATCH 3/5] Put the repo fetch back in. It is needed when getting the changed files list. --- .github/workflows/patching-sla-check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/patching-sla-check.yml b/.github/workflows/patching-sla-check.yml index 67e5484..3d88d85 100644 --- a/.github/workflows/patching-sla-check.yml +++ b/.github/workflows/patching-sla-check.yml @@ -17,6 +17,10 @@ jobs: with: role-to-assume: arn:aws:iam::162856926107:role/gh-action-security-tools aws-region: us-east-1 + - name: Check out target repository + uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Check out workflow tooling repository uses: actions/checkout@v6 with: From a40155c4b28d4a5d18626f19782fc94ca6584168 Mon Sep 17 00:00:00 2001 From: Jan Olderdissen Date: Tue, 21 Apr 2026 19:03:48 +0200 Subject: [PATCH 4/5] Prepare for merge. --- .github/workflows/patching-sla-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/patching-sla-check.yml b/.github/workflows/patching-sla-check.yml index 3d88d85..4b1269e 100644 --- a/.github/workflows/patching-sla-check.yml +++ b/.github/workflows/patching-sla-check.yml @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@v6 with: repository: devrev/global-gh-tools - ref: jro/allow_dockerfile_changes + ref: main path: .global-checks-tooling - name: Load python requirements. run: | From 01ad121cdbb9535150d66ad813f16d0253795f4d Mon Sep 17 00:00:00 2001 From: Jan Olderdissen Date: Tue, 21 Apr 2026 19:04:59 +0200 Subject: [PATCH 5/5] Also allow Makefile changes. --- checks/check_patching_sla.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/checks/check_patching_sla.py b/checks/check_patching_sla.py index 64115c7..eb135c9 100644 --- a/checks/check_patching_sla.py +++ b/checks/check_patching_sla.py @@ -22,7 +22,8 @@ "Package.resolved", "project.pbxproj", "uv.lock", - "Dockerfile*" + "Dockerfile*", + "Makefile*" ] def is_file_allowed(file_path, allowed_patterns):